My guess would be that the provider is modelling this block type as a set of objects rather than as a list, reflecting that the remote system doesn’t consider these to be in any particular order.
But that then runs into a tricky characteristic of sets: the elements have no identifier other than the value itself, and Terraform can’t really track sensitivity of individual elements without an ability to identify them. For a list that identifier would be the index, and for a map it would be the key.
So as an approximation Terraform has to just mark the whole set as sensitive, because to do otherwise might indirectly betray a sensitive value, such as by coalescing it with another value that happens to be equal but isn’t sensitive.
This current compromise is definitely a rough edge for resource types like this one which have lots of nested blocks; ideally the cloudfront API would be modelled as a bunch of separate resource types to be composed together as we see for other services, but the cloudfront API doesn’t match that modelling.
I think still worth raising to the provider team if there isn’t already an issue describing this problem, but I also feel unsure about what the provider could do differently here to avoid it; perhaps opening an issue about it will prompt a larger discussion where someone will offer a compelling compromise I’m not considering.